Description of the patch:
This update for apache-sshd, jpgpj fixes the following issues
- CVE-2020-36843: no check performed on scalar to avoid signature malleability (bsc#1239551).
- CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd: sshd-git (bsc#1267018).
Changes for jpgpj:
- Initial packaging with v1.3
Changes for apache-sshd:
- Update to upstream version 2.18.0
- GH-743 Ensure the Java ServiceLoader use a singleton
SftpFileSystemProvider
- GH-879 Close SSH channel gracefully on exception in port
forwarding
- Security: Improve handling of repository paths in sshd-git.
Resolves CVE-2026-48827, bsc#1267018
- GH-892 Align handling certificates without principals with
OpenSSH 10.3
- Update to upstream version 2.17.1
- GH-875 Use Apache Parent POM 36
- Update to upstream version 2.17.0
- GH-469, SSHD-897 Fix duplicate character echo with interactive
shells
- GH-721 SSH client: schedule session timeout checks on demand
only
- GH-807 Handle 'verified' flag for sk-* keys
- GH-809 Fix server-side authentication for FIDO/U2F sk-* keys
with flags in authorized_keys
- GH-827 Don't fail on invalid known_hosts lines; log and skip
them
- GH-830 EC public keys: let Bouncy Castle generate X.509
encodings with the curve OID as algorithm parameter
- GH-855 SFTP: use a single SftpClient per SftpFileSystem
- GH-856 Fix using ed25519 with BC-FIPS
- GH-861 SFTP client: prevent sending zero-length writes in
SftpOutputStreamAsync
- SSHD-1348 Fix zero-length SFTP reads
- SSHD-1349 Bump PMD to 7.20.0 to avoid StackOverflowError when
compiling on Java 26-ea
- GH-814 Include a fix for CVE-2020-36843 (bsc#1239551) in
optional dependency net.i2p.crypto:eddsa:0.3.0: perform the
missing range check in Apache MINA SSHD before delegating to
the signature verification in net.i2p.crypto:eddsa:0.3.0.
This means that using net.i2p.crypto:eddsa:0.3.0 in Apache
MINA SSHD is safe despite that CVE in the...